Photo by Christina Gandolfo

Cyberattacks are surging: Accenture reports that cyber intrusions jumped by 125 percent, globally, in the first half of 2021 over the same period in 2020. And while all those data breaches and ransomware attacks have meant major headaches for companies and their customers, they’ve also roiled the cyber-insurance market: As claims pour in for losses due to everything from business disruptions to extortion, major carriers are raising premiums and reducing coverage.

Not everyone is retrenching, however. In 2021, cyber-insurance startup At-Bay stayed steady with its premiums and coverage for local schools and colleges in the education sector and the small- to medium-size businesses it serves in the United States. (The firm also raised $205 million in Series D funding, saw an eightfold increase in year-over-year premium revenues, and reached a valuation of $1.35 billion.) Its policyholders, meanwhile, were seven times less likely to experience a ransomware attack than the industry average.

The company’s advantage, claim cofounders Rotem Iram (MBA 2013) and Roman Itskovich (MBA 2012), is a combination of cybersecurity savvy and traditional insurance-business expertise.

Unlike most large, established carriers, which write policies to cover cyberattacks but do little to preempt them, At-Bay takes a preventive approach to cyber insurance. Before signing up a new policyholder, the company performs non-intrusive penetration tests on the prospective customer’s computer systems, probing for vulnerabilities in much the same way an attacker would. If those tests reveal chinks in an enterprise’s digital armor—obsolete servers, outdated software, lax protocols—then At-Bay’s security experts help to address the problems.

“About 5 percent to 7 percent of companies have issues that are so big and so easy to find, it’s almost a miracle they haven’t been breached yet,” says Iram (above, left), a former captain in Israeli military intelligence who established the risk, compliance, and advisory services firm K2 Intelligence before launching At-Bay in 2016.

At-Bay continues to perform automated scans of its clients’ systems for the duration of their policies, finding and plugging security holes as they appear. With approximately 14,000 customers and 2,000 more signing up each month, the company performs roughly 15,000 such AI-driven scans per month—each one reducing the likelihood that policyholders will suffer a breach, and that At-Bay will pay a large claim. The company even offers discounts to clients who adopt recommended security measures, just as car-insurance providers offer discounts for having alarm systems and antilock brakes. In that sense, the startup also plays a role in nudging enterprises toward less risky digital practices.

“Saving our clients from being breached is the prime directive,” says Itskovich, who previously worked at Bain Capital and financial services startup Ebury. “It’s great for our financial performance, but we also view this as a service to society.”

He means that literally: The ramifications of a breach can be far-reaching, yet the organizations that At-Bay serves typically lack the resources to protect themselves. “When a small town gets hit with ransomware and needs to spend $5 million on restoration, that’s money that doesn’t go to parks and roads and schools,” Iram explains.

If a client does suffer a breach, At-Bay picks up the tab for any direct financial losses that may ensue, along with a host of other costly consequences. For example, companies that have been compromised may be legally required to notify their customers or provide them with credit monitoring and other services; they also may be exposed to potential litigation.

“We help you find out what happened and stop the attack. We figure out if you have any legal obligations and pay for lawyers to fulfill them. We help you restore your systems and data, and pay for any loss of business you’ve had,” says Itskovich. Half of the startup’s 180 employees work in areas like security research and data science, while the rest handle traditional insurance activities such as underwriting and claims management.

At-Bay currently offers a core policy that covers direct costs of a cyberattack and protects companies if they are sued for disruptions to their computer systems, malicious or otherwise. But the company is preparing to move beyond cyber insurance: Later this year, it will introduce coverage designed to protect more than a hundred kinds of professionals from lawsuits filed by clients and customers (typically related to medical malpractice or errors in provided services).

Diversifying its offerings will give At-Bay access to a larger market while further endearing it to the brokers who bundle various policies for commercial customers. And while the startup won’t have the same advantage over its competitors once it moves beyond cyber-insurance, Iram and Itskovich believe the company’s nimble, data-driven approach will continue to give it an edge.

“We can still automate the hell out of those products, use machine learning to better gather data, develop better risk models, and move faster, with every additional line of insurance,” says Iram. “We have the opportunity to become the next generation of commercial insurer.”

Post a Comment